Server hacked?

johanb boeckx.johan at telenet.be
Tue Jan 1 22:26:27 UTC 2008 

Joris,

There seems to be some kind of rootkit running on your server. It 
concerns syn_sent , towars numbering devices, which inclines scans for 
open dcc-servers, to sent packets to. What I would advice you, is to 
install a package searching for installed rootkits and scan your system 
with ex. chkrootkit or rkhunter.
To answer your question : yes according to my humble opinion it concerns 
some kind of rootkit or trojan. (rather rootkit then trojan)
greetz,
Johan

Joris Dobbelsteen schreef:
> Dear,
>
> I'm having a Linux server running Ubuntu 6.06 LTS (under vmware) and it
> seems to have some quite weird behaviour. For some reason (or another)
> the box seems to create OUTGOING connections to an IRC server from a
> supposed kernel address. Below is a snapshot of the netstat output...
>
> Can anyone provide some detailed information about this?
> (i.e. confirm my suspicion it is indeed a trojan or something)
>
> If so, I'm desiring to do some more diagnosis/forensics on the box to
> get to know what may caused this strange behaviour. Can anyone provide
> some help on this?
>
> The box has PostFix, PowerDNS, Apache2 and SSH exposed to the Internet.
> Unfortunally its connected to the single LAN segment I have at home.
> Fortunally I have a strict firewall that doesn't allow IRC out (I don't
> use it, so I do not need to allow it).
>
> Thanks in advance...
>
> - Joris
>
>
> root at shushan:~# netstat -tnp
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State       PID/Program name
> tcp        0      1 192.168.10.xx:52020     216.152.66.54:6667
> SYN_SENT   18687/[kjournald]
> tcp        0      1 192.168.10.xx:49383     216.152.66.48:6667
> SYN_SENT   18599/[kjournald]
> tcp        0      1 192.168.10.xx:32936     216.152.66.46:6667
> SYN_SENT   11304/[kjournald]
> tcp        0      1 192.168.10.xx:56901     216.152.67.49:6667
> SYN_SENT   29965/[kjournald]
> tcp        0      1 192.168.10.xx:54354     216.152.67.30:6667
> SYN_SENT   24235/[kjournald]
> tcp        0      1 192.168.10.xx:60278     216.152.66.47:6667
> SYN_SENT   15412/[kjournald]
> [trusted entries removed]
>
>
>

More information about the ubuntu-users mailing list